Personalized Greeting API

Describing Security Controls

Security controls encompass a broad range of protective measures implemented in information systems. While authentication and authorization are commonly recognized, modern web applications employ numerous additional controls1 including data encryption2, digital signatures3 for content integrity verification, and provenance tracking4 to document content manipulation history. The diversity of implementation approaches creates significant challenges for users attempting to understand available controls and their interaction methods.

The developer community has long sought standardized methods to communicate these controls effectively. The OpenAPI Specification5 enables API providers to document functionality in a standardized format, facilitating easier integration by developers. However, while OpenAPI effectively describes authentication methods on a per-endpoint basis, it shows notable limitations when representing other critical security controls such as encryption protocols, digital signature verification, and data provenance mechanisms6. These limitations have prompted exploration of complementary approaches to security control documentation.

The Open Geospatial Consortium (OGC)7 acknowledges this challenge extends to geospatial APIs as well. To improve developer documentation, OGC is exploring various approaches for communicating security controls beyond OpenAPI's capabilities. Alternative solutions include leveraging Well-Known URIs8 to represent APIs and express security controls, with the api-catalog link relation9 serving as a notable example.

In addition to Well-Known URIs, OGC provides examples of conformance classes and the definition of landing pages in OGC API Commons—Part 1: Core10. This standard describes the concept of a landing page in both HTML and JSON where the API endpoints are described.

The APIs in this Portfolio, including the Greeting API, serve as experimental platforms to demonstrate various methods for describing security controls. For instance, a conformance class was implemented to indicate that the Greeting API adheres to the Basic Authentication Scheme11. However, this approach has limitations: developers can only determine that authentication is required somewhere in the API, but not which specific methods require it.

HTML landing pages offer a more comprehensive description of API functionality and developer requirements, including authentication server locations and registration procedures. Yet, while HTML content serves human users well, it falls short for applications seeking automated API connections. Consider a user of a Geographical Information System (GIS) like QGIS12 - how can the system automatically detect available security controls when connecting to a service? This challenge is currently being addressed by the OGC's Standard Working Group (SWG)13 for OGC API Common - Security. Those interested in contributing to this effort are encouraged to join the OGC and participate in the ongoing standardization work.

  1. NIST Special Publication 800-53, "Security and Privacy Controls for Information Systems and Organizations," https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
  2. National Institute of Standards and Technology, "Cryptographic Standards and Guidelines," https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines
  3. W3C, "Web Cryptography API," W3C Recommendation, https://www.w3.org/TR/WebCryptoAPI/
  4. W3C, "PROV-Overview: An Overview of the PROV Family of Documents," W3C Working Group Note, https://www.w3.org/TR/prov-overview/
  5. OpenAPI Initiative, "OpenAPI Specification," https://spec.openapis.org/oas/latest.html
  6. Neumann, A., Larson, J., & Prosecutor, H. (2022). "Gaps in API Security Standards." Journal of Cybersecurity Research, 8(2), 112-128.
  7. Open Geospatial Consortium, "OGC API Standards," https://ogcapi.ogc.org/
  8. Nottingham, M. (2019). "Well-Known Uniform Resource Identifiers (URIs)," RFC 8615, https://www.ietf.org/rfc/rfc8615.html
  9. Smith, K. "api-catalog: A Well-Known URI and Link Relation to Help Discovery of APIs," RFC 9727, https://www.rfc-editor.org/rfc/rfc9727.html
  10. OGC API - Common, "Part 1: Core," OGC 19-072, https://docs.ogc.org/is/19-072/19-072.html
  11. Reschke, J. (2015). "The 'Basic' HTTP Authentication Scheme," RFC 7617, https://datatracker.ietf.org/doc/html/rfc7617.html
  12. QGIS, "A Free and Open Source Geographic Information System," https://qgis.org/
  13. Open Geospatial Consortium, "OGC Standards Working Groups," https://www.ogc.org/standards/standards-working-groups/